[Samba] AD authentication issue in Samba (kerberos errors)

Paul R. Ganci ganci at nurdog.com
Thu Mar 21 01:56:10 UTC 2019

On 3/20/19 9:40 AM, Rowland Penny via samba wrote:
> On Wed, 20 Mar 2019 17:22:36 +0200
> "linux.il via samba" <samba at lists.samba.org> wrote:
>> Rowland,
>> Thank you, I'll try to implement your suggestions.
>> But it definitely worked without winbind.
>> Then your 'Samba' problem isn't a Samba problem :-)
>> AS far as Samba is concerned, you have always needed to run winbind on a
>> Unix ads domain member. It became mandatory from 4.8.0

I will also second that windbind is not necessary on a member server. I 
have 4 Centos 7 member servers and none of them have winbind running on 
them. Each of these use SSSD and have absolutely no problems. These 
systems have been operating without winbind for years. When I updated to 
4.8 and 4.9 on the Samba AD which does use winbind the member servers 
never were updated to use winbind. So I don't know what circumstances it 
is deemed that winbind is necessary on a domain member. I can just 
confirm like the op that it is not necessary on any of the domain 
members I am running.

Having said that I explicitly run:

 >cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)

The version of Centos runs on every linux box I have. On the AD I run 
the Sernet packages for Centos:

 > rpm -qa | grep sernet

On each member server I have these RPMs from the Centos repository 

 >rpm -qa | grep samba


None of these samba packages contain winbind"

 > rpm -ql `rpm -qa | grep samba` | grep winbind

The /var/run/winbindd directory is only where the process ID would end 
up if I were running winbind. The actual Centos RPM containing swinbind 
is in package samba-winbind which as you can see is not listed on the 
member server samba package list.

Here is the result of a ps on one of my member servers:

 > ps auxww | grep win
prg-118+ 21497  0.0  0.0 112708   972 pts/2    S+   19:38   0:00 grep 
--color=auto win

Note there is no winbindd running.

Moreover here is the result of a getent passwd user (I sanitized the 
user) on a member server not running winbindd:

 > getent passwd user:

user:*:10000:10513:User Name:/home/user:/bin/bash

Here is the the samba config /etc/smb.conf from the same member server:

    security = ads
    workgroup = MYHOME

    log file = /var/log/samba/%m.log

    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 30000-100000
    idmap config MYHOME:backend = ad
    idmap config MYHOME:schema_mode = rfc2307
    idmap config MYHOME:range = 10000-29999

Note that the user ID falls in my the domain MYHOME range so it is 
indeed an AD user.

So maybe someday I will have problems but using SSSD with a proper setup 
allows me to use a Samba AD without having to run winbind on the member 
server. I will continue to operate like that until the day I have an 
issue so I will keep this message handy in a note book just in case. But 
I firmly believe that a proper SSSD setup precludes the need for winbind 
at this point in time.

Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list